Jack’s first advice was about appetite control: Stop yourself and colleagues from saying “We don’t have enough data” – there will always be uncertainty, you just have to know how to handle it in cyber risk analysis.
And the first step in that direction, Jack said, is to understand that there’s raw data (coming in from telemetry scans) and then there’s the interpreted data – but that’s only as good as the interpreting model it’s run through. Unfortunately, most organizations are using the “mental model”, as Jack calls it, basically a gut check by security staff.
Better decision making starts with a formal model (like Jack’s creation, Factor Analysis of Information Risk or FAIR) that shows you what data you need – scoping what’s important for answering your question – how to interpret the data and how to make clear your assumptions (so they might be challenged).
Jack left the audience with a warning and an action plan.
The warning: “Risk quantification is becoming a bigger deal every day, which means vendors are climbing onboard in their marketing.” Any tool that claims to score risk is using a model – ask what’s the model, is it open source and available for scrutiny (like FAIR)?
And the action plan:
“In the first three months following this presentation you should:
“Within six months you should: